Top Menu

For enterprises operating in a highly-globalized environment with employees based in various geographical locations, effective collaboration is vital in maintaining healthy productive operations, driving innovation and achieving desired business...

Topic

Wi-Fi is becoming the primary method of access to enterprise networks. The technology now bears the robustness to meet the unique needs of industries that face challenges transitioning to new cabling, such as the healthcare industry; or locations...

Topic

According to a new report by cloud security company CipherCloud, compliance is the single biggest concern for large organizations looking at cloud adoption.
The company surveyed its 100-plus large global customers and found that, for 64 percent,...

Topic

Last year’s M-Trends found that cyber security had gone from a niche IT issue to a boardroom priority. This year, cyber security (or perhaps more accurately, cyber insecurity) entered the mainstream.
The lines also are blurring between run-...

Topic

If it can't sell customers on Windows, Microsoft's Plan B has been to bring its services to other platforms. On Monday it did just that, porting Office to Android tablets made by Samsung, Dell, and others.
For Samsung, the Office deal...

Topic

If there's a poster child for the challenges facing open source security, it may be Werner Koch, the German developer who wrote and for the last 18 years has toiled to maintain Gnu Privacy Guard (GnuPG), a pillar of the open source software...

Topic

USA-based restaurant chain Buffalo Wild Wings uses NCR cloud-enabled restaurant solutions for its first location in Asia, located at Capitol Commons in Pasig City in the Philippines.
The NCR suite of cloud products will offer Buffalo Wild...

Microsoft will update Windows Update to stymie Flame-like attacks

Microsoft has announced it will issue an update to its Windows Update to prevent copy-cat hackers from duplicating Flame's feat of infecting fully-patched PCs by faking the service. The company also described in more detail how Flame's authors were able to spoof Windows Update.

On Sunday, Microsoft acknowledged that Flame -- the super-espionage toolkit that has infected Windows PCs throughout the Middle East, but appears to have been aimed at Iran in particular -- used fraudulent code-signing certificates generated by abusing the company's Terminal Services licensing certificate authority (CA), which is normally used by enterprises to authorize remote desktop services and sessions.

Later, Microsoft also confirmed that those certificates were used to sign bogus updates that were force-fed uninfected PCs by a Flame-compromised computer on the same network. Researchers at Kaspersky Lab and Symantec used their forensics analyses to more completely describe how Flame managed the feat.

Today, Microsoft said that Flame was able to trick Windows XP machines into accepting the phony Windows Updates once they generated digital certificates with Microsoft's own "signature."

But to dupe Windows Vista and Windows 7 systems, the hackers had to go a step further.

To do that, they leveraged several weaknesses in Microsoft's certificate infrastructure and signing to perform a cryptographic "collision attack," where two different values produce the same cryptographic "hash."

"After [the collision] attack, the attacker had a certificate that could be used to sign code that chained up to the Microsoft Root Authority and worked on all versions of Windows [emphasis added]," Ness wrote today on the Security Research & Defense blog.

The combination of the flaws in the Terminal Services' CA and the collision attack made it possible for Flame to hoodwink Windows Vista and Windows 7 PCs as well as those running the 11-year-old XP.

Microsoft's Windows Update team also blogged Wednesday to explain how it plans to better secure Windows' default update mechanism, which is used by hundreds of millions of PCs worldwide, to prevent a repeat of the Flame tactic.

An update for Windows Update will be pushed to users later this week that will force the service to acknowledge only certificates issued from a new authority the company will create, and no longer accept other Microsoft-signed digital signatures, as it has since its inception.

"Second, we are strengthening the communication channel used by Windows Update in a similar way," the blog stated.

Companies that use Windows Server Update Services (WSUS), a Windows Server component and the de facto patching and update mechanism for most businesses, will be updated in a similar fashion.

Andrew Storms, director of security operations at nCircle Security, was disappointed in the lack of detail in Microsoft's explanation of the changes. "They basically admitted that Windows Update was man-in-the-middled, but then said very little about how they are fixing it," Storms said in an interview via instant messaging Wednesday.